No interfaces found by Wireshark 2.0 on El Capitan (OS X 10.11.2)

Question

I cannot get Wireshark to see network interfaces when I start it under El Capitan 10.11.2

Answer 1

1

I remember hearing concerns about possible security issues with this command, but after every reboot I type

sudo chmod 644 /dev/bpf*

I am then prompted for my admin password. After that, all interfaces appear in Wireshark...until the next reboot.

answered 20 Jan '16, 09:37

MisterFalcon
26●1●1●7
accept rate: 0%

Yes that worked!! Thanks!!! Now the interfaces can be seen!

Here is what I did based on your suggestion:

bash-3.2# ls -l bpf*
crw-------  1 root  wheel   23,   0 Jan 20 12:42 bpf0
crw-------  1 root  wheel   23,   1 Jan 20 12:42 bpf1
crw-------  1 root  wheel   23,   2 Jan 21 00:42 bpf2
crw-------  1 root  wheel   23,   3 Jan 20 12:42 bpf3
crw-------  1 root  wheel   23,   4 Jan 20 12:42 bpf4
crw-------  1 root  wheel   23,   5 Jan 20 12:42 bpf5
bash-3.2# chmod 644 bpf*
bash-3.2# ls -l bpf*
crw-r--r--  1 root  wheel   23,   0 Jan 20 12:42 bpf0
crw-r--r--  1 root  wheel   23,   1 Jan 20 12:42 bpf1
crw-r--r--  1 root  wheel   23,   2 Jan 21 00:42 bpf2
crw-r--r--  1 root  wheel   23,   3 Jan 20 12:42 bpf3
crw-r--r--  1 root  wheel   23,   4 Jan 20 12:42 bpf4
crw-r--r--  1 root  wheel   23,   5 Jan 20 12:42 bpf5
bash-3.2#

I wish Apple would reverse their SIP policy and allow user to install legitimite devices and applications such as wireshark, without dancing around permissions

(21 Jan '16, 10:17) Boilermaker

I just installed Wireshark on an El Capitan 10.11.2 virtual machine, and, after installing Wireshark, there were a lot more BPF devices, they all had permission rw-rw----, and were owned by group access_bpf, all of which is as it's supposed to be.

This persists across a reboot.

Uninstalling Wireshark (complete with uninstalling the launchd service that sets the BPF permissions at boot time), updating to 10.11.3, and installing Wireshark had the same result.

SIP was turned on during the entire process, so it's not as if it's what's getting in the way.

What does the command ls -l /Library/LaunchDaemons/ print on your machines?

(21 Jan '16, 11:12) Guy Harris ♦♦

Mine shows 'org.wireshark.ChmodBPF.plist'.

But the therein referenced '/Library/Application Support/Wireshark' directory is owned by user:group '504:wheel' who is definitely not on this system?

Seems to work though, since after reboot I can have interfaces to capture from.

(22 Jan '16, 04:35) Jaap ♦

On mine - El Capitan 10.11.2, both before and after entering the chmod 644 /dev/bpf* command I see

$ ls -l /Library/LaunchDaemons/
total 48
-rw-r--r--  1 root  wheel  462 24 Apr  2014 com.adobe.fpsaud.plist
[email protected] 1 root  wheel  818 15 Dec 07:53 com.google.keystone.daemon.plist
-rw-r--r--  1 root  wheel  572 17 Nov 10:21 com.oracle.JavaInstallHelper.plist
lrwxr-xr-x  1 root  wheel  103 12 Nov  2014 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist
-rw-r--r--  1 root  wheel  588  7 Sep 09:56 com.oracle.java.JavaUpdateHelper.plist
-rw-r--r--  1 root  wheel  670 16 Oct 04:48 org.macosforge.xquartz.privileged_startx.plist
$

How does one completely uninstall wireshark and he launchd service as mentioned on OSX?

(22 Jan '16, 06:26) MisterFalcon